aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2017-09-25 15:57:50 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2017-09-25 15:57:50 +0200
commit9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 (patch)
tree632cecd6b845ecc93c5024170671a9894c2cda49 /etc
parentfix nginx and apache2, possible fix for #1534 (diff)
downloadfirejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.gz
firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.zst
firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.zip
various profile enhancements
* okular needs kdeinit4 for open file dialog since recently * memory-deny-write-execute should be a safe addition for desktop use of dnscrypt and unbound * cleanup works
Diffstat (limited to 'etc')
-rw-r--r--etc/baloo_file.profile4
-rw-r--r--etc/disable-programs.inc1
-rw-r--r--etc/dnscrypt-proxy.profile3
-rw-r--r--etc/dnsmasq.profile1
-rw-r--r--etc/evince.profile2
-rw-r--r--etc/ffmpeg.profile12
-rw-r--r--etc/okular.profile2
-rw-r--r--etc/unbound.profile3
8 files changed, 16 insertions, 12 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc 18include /etc/firejail/disable-programs.inc
19 19
20include /etc/firejail/whitelist-var-common.inc
21
20caps.drop all 22caps.drop all
21no3d 23no3d
22nodvd 24nodvd
@@ -29,8 +31,10 @@ novideo
29protocol unix 31protocol unix
30# Baloo makes ioprio_set system calls, which are blacklisted by default. 32# Baloo makes ioprio_set system calls, which are blacklisted by default.
31seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice 33seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
34shell none
32x11 xorg 35x11 xorg
33 36
37private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
34private-dev 38private-dev
35private-tmp 39private-tmp
36 40
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ad589890c..4779b0aae 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig
378blacklist ${HOME}/.tconn 378blacklist ${HOME}/.tconn
379blacklist ${HOME}/.thunderbird 379blacklist ${HOME}/.thunderbird
380blacklist ${HOME}/.tooling 380blacklist ${HOME}/.tooling
381blacklist ${HOME}/.tor-browser-en
381blacklist ${HOME}/.ts3client 382blacklist ${HOME}/.ts3client
382blacklist ${HOME}/.tuxguitar* 383blacklist ${HOME}/.tuxguitar*
383blacklist ${HOME}/.unknow-horizons 384blacklist ${HOME}/.unknow-horizons
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 86af9c7b3..6d4f6349a 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31private-dev 30private-dev
32 31
33# mdwe can break modules/plugins 32# mdwe can break modules/plugins
34# memory-deny-write-execute 33memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index d4cd0530e..2a1302adb 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
diff --git a/etc/evince.profile b/etc/evince.profile
index 2c7c754d8..466260c49 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
16 16
17caps.drop all 17caps.drop all
18# net none breaks AppArmor on Ubuntu systems
18netfilter 19netfilter
19no3d 20no3d
20nodvd 21nodvd
@@ -28,7 +29,6 @@ protocol unix
28seccomp 29seccomp
29shell none 30shell none
30tracelog 31tracelog
31# net none breaks AppArmor on Ubuntu systems
32 32
33private-bin evince,evince-previewer,evince-thumbnailer 33private-bin evince,evince-previewer,evince-thumbnailer
34private-dev 34private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index e098c95e3..5db39cf61 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
1# Firejail profile for default 1# Firejail profile for ffmpeg
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations 4# Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15net none 17net none
16no3d 18no3d
@@ -23,11 +25,11 @@ noroot
23# protocol none - needs to be implemented! 25# protocol none - needs to be implemented!
24seccomp 26seccomp
25# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom 27# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
26# memory-deny-write-execute - it breaks old versions of ffmpeg
27shell none 28shell none
28tracelog 29tracelog
29 30
30private-tmp
31private-dev
32private-bin ffmpeg 31private-bin ffmpeg
33include /etc/firejail/whitelist-var-common.inc 32private-dev
33private-tmp
34
35# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/okular.profile b/etc/okular.profile
index 94736fbae..60390e4d8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
36shell none 36shell none
37tracelog 37tracelog
38 38
39# private-bin okular,kbuildsycoca4,lpr 39# private-bin okular,kbuildsycoca4,kdeinit4,lpr
40private-dev 40private-dev
41# private-etc fonts,X11 41# private-etc fonts,X11
42private-tmp 42private-tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 2a38aa7c6..d380b5698 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31private-dev 30private-dev
32 31
33# mdwe can break modules/plugins 32# mdwe can break modules/plugins
34# memory-deny-write-execute 33memory-deny-write-execute
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 11:59:12 +0000