diff options
author | smitsohu <smitsohu@gmail.com> | 2017-08-08 21:31:50 +0200 |
---|---|---|
committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2017-08-08 14:31:50 -0500 |
commit | 40a51e179d90f54a20c539567adeed1ea0b94d78 (patch) | |
tree | 48f41f500a4a4cbdd1744365919dd0c2dc99931a /etc | |
parent | Merges (diff) | |
download | firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.gz firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.zst firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.zip |
various little profile fixes and enhancements (#1442)
* add novideo
* add novideo
* add novideo
* put noexec last
* blacklist Clementine configuration and database
* blacklist Clementine configuration and database
* add novideo
* add novideo, permit access to ~/.java
* add novideo
* spoof machine-id
* mimeapps.list is already in whitelist-common.inc
* ~/.local/share/applications is already read-only
see disable-common.inc
* mimeapps.list is already in whitelist-common.inc
* ~/.local/share/applications is already read-only
see disable-common.inc
* drop machine-id option
private-etc hides it anyway
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ark.profile | 1 | ||||
-rw-r--r-- | etc/audacious.profile | 1 | ||||
-rw-r--r-- | etc/baloo_file.profile | 2 | ||||
-rw-r--r-- | etc/clementine.profile | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/geary.profile | 2 | ||||
-rw-r--r-- | etc/gwenview.profile | 1 | ||||
-rw-r--r-- | etc/mediathekview.profile | 2 | ||||
-rw-r--r-- | etc/okular.profile | 1 | ||||
-rw-r--r-- | etc/scribus.profile | 3 | ||||
-rw-r--r-- | etc/thunderbird.profile | 2 |
11 files changed, 11 insertions, 6 deletions
diff --git a/etc/ark.profile b/etc/ark.profile index 7c8574973..4884b4a0f 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -18,6 +18,7 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | novideo | ||
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 15bf6c013..0300f6777 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | novideo | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 9c2909b0f..66c552dd6 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -36,6 +36,6 @@ noexec /tmp | |||
36 | 36 | ||
37 | # Make home directory read-only and allow writing only to ~/.local/share | 37 | # Make home directory read-only and allow writing only to ~/.local/share |
38 | # Note: Baloo will not be able to update the "first run" key in its configuration files. | 38 | # Note: Baloo will not be able to update the "first run" key in its configuration files. |
39 | # noexec ${HOME}/.local/share | ||
40 | # read-only ${HOME} | 39 | # read-only ${HOME} |
41 | # read-write ${HOME}/.local/share | 40 | # read-write ${HOME}/.local/share |
41 | # noexec ${HOME}/.local/share | ||
diff --git a/etc/clementine.profile b/etc/clementine.profile index 13a14af3b..adcf9414a 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/Clementine | ||
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c67a0b378..0868fa10b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -32,6 +32,7 @@ blacklist ${HOME}/.config/akregatorrc | |||
32 | blacklist ${HOME}/.config/Atom | 32 | blacklist ${HOME}/.config/Atom |
33 | blacklist ${HOME}/.config/Audaciousrc | 33 | blacklist ${HOME}/.config/Audaciousrc |
34 | blacklist ${HOME}/.config/Brackets | 34 | blacklist ${HOME}/.config/Brackets |
35 | blacklist ${HOME}/.config/Clementine | ||
35 | blacklist ${HOME}/.config/Cryptocat | 36 | blacklist ${HOME}/.config/Cryptocat |
36 | blacklist ${HOME}/.config/Franz | 37 | blacklist ${HOME}/.config/Franz |
37 | blacklist ${HOME}/.config/Gitter | 38 | blacklist ${HOME}/.config/Gitter |
diff --git a/etc/geary.profile b/etc/geary.profile index 3f9faf058..353d00124 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -13,7 +13,6 @@ noblacklist ~/.local/share/geary | |||
13 | 13 | ||
14 | mkdir ~/.gnupg | 14 | mkdir ~/.gnupg |
15 | mkdir ~/.local/share/geary | 15 | mkdir ~/.local/share/geary |
16 | whitelist ~/.config/mimeapps.list | ||
17 | whitelist ~/.gnupg | 16 | whitelist ~/.gnupg |
18 | whitelist ~/.local/share/applications | 17 | whitelist ~/.local/share/applications |
19 | whitelist ~/.local/share/geary | 18 | whitelist ~/.local/share/geary |
@@ -22,7 +21,6 @@ include /etc/firejail/whitelist-common.inc | |||
22 | ignore private-tmp | 21 | ignore private-tmp |
23 | 22 | ||
24 | read-only ~/.config/mimeapps.list | 23 | read-only ~/.config/mimeapps.list |
25 | read-only ~/.local/share/applications | ||
26 | 24 | ||
27 | # allow browsers | 25 | # allow browsers |
28 | include /etc/firejail/firefox.profile | 26 | include /etc/firejail/firefox.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 0f2be604b..0bc47d301 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | nogroups | 23 | nogroups |
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | novideo | ||
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 5e980909b..bebe95a72 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/mediathekview.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/vlc | 8 | noblacklist ~/.config/vlc |
9 | noblacklist ~/.java | ||
9 | noblacklist ~/.mediathek3 | 10 | noblacklist ~/.mediathek3 |
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -17,6 +18,7 @@ caps.drop all | |||
17 | netfilter | 18 | netfilter |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
21 | novideo | ||
20 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
21 | seccomp | 23 | seccomp |
22 | tracelog | 24 | tracelog |
diff --git a/etc/okular.profile b/etc/okular.profile index 331b625b8..cf747417c 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | novideo | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 7e117dcd1..2ccb5126b 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/scribus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Support for PDF readers (Scribus 1.5 and higher) | 8 | # Support for PDF readers comes with Scribus 1.5 and higher |
9 | noblacklist ~/.config/okularpartrc | 9 | noblacklist ~/.config/okularpartrc |
10 | noblacklist ~/.config/okularrc | 10 | noblacklist ~/.config/okularrc |
11 | noblacklist ~/.config/scribus | 11 | noblacklist ~/.config/scribus |
@@ -30,6 +30,7 @@ caps.drop all | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | novideo | ||
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
35 | tracelog | 36 | tracelog |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index d3b7ee871..c3dc0366b 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -18,7 +18,6 @@ mkdir ~/.gnupg | |||
18 | mkdir ~/.icedove | 18 | mkdir ~/.icedove |
19 | mkdir ~/.thunderbird | 19 | mkdir ~/.thunderbird |
20 | whitelist ~/.cache/thunderbird | 20 | whitelist ~/.cache/thunderbird |
21 | whitelist ~/.config/mimeapps.list | ||
22 | whitelist ~/.gnupg | 21 | whitelist ~/.gnupg |
23 | whitelist ~/.icedove | 22 | whitelist ~/.icedove |
24 | whitelist ~/.local/share/applications | 23 | whitelist ~/.local/share/applications |
@@ -28,7 +27,6 @@ include /etc/firejail/whitelist-common.inc | |||
28 | ignore private-tmp | 27 | ignore private-tmp |
29 | 28 | ||
30 | read-only ~/.config/mimeapps.list | 29 | read-only ~/.config/mimeapps.list |
31 | read-only ~/.local/share/applications | ||
32 | 30 | ||
33 | # allow browsers | 31 | # allow browsers |
34 | include /etc/firejail/firefox.profile | 32 | include /etc/firejail/firefox.profile |